only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary. granting permissions to a user beyond the scope of the necessary rights of an action can allow that user to obtain or change information in unwanted ways. therefore, careful delegation of access rights can limit attackers from damaging a system.